Summary
GitHub Actions is removing Node 20 from runners on 2026-09-16 and will force Node 24 as the default on 2026-06-02. Every run currently emits this annotation on actions/checkout@v4, actions/setup-node@v4, actions/upload-artifact@v4, actions/download-artifact@v4, and peaceiris/actions-gh-pages@v4:
Node.js 20 actions are deprecated. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026.
Observed on run 24216899512 (commit 0493999).
Scope
22 action pins across 4 workflow files:
| File |
Action |
Count |
.github/workflows/ci.yml |
actions/checkout@v4 |
4 |
.github/workflows/ci.yml |
actions/setup-node@v4 |
3 |
.github/workflows/ci.yml |
actions/upload-artifact@v4 |
4 |
.github/workflows/ci.yml |
actions/download-artifact@v4 |
2 |
.github/workflows/ci.yml |
peaceiris/actions-gh-pages@v4 |
1 |
.github/workflows/lighthouse.yml |
actions/checkout@v4 |
1 |
.github/workflows/lighthouse.yml |
actions/setup-node@v4 |
1 |
.github/workflows/lighthouse.yml |
actions/upload-artifact@v4 |
1 |
.github/workflows/release.yml |
actions/checkout@v4 |
1 |
.github/workflows/release.yml |
actions/setup-node@v4 |
1 |
.github/workflows/security.yml |
actions/checkout@v4 |
3 |
.github/workflows/security.yml |
actions/setup-node@v4 |
1 |
.github/workflows/security.yml |
actions/upload-artifact@v4 |
1 |
(Plus trufflesecurity/trufflehog@v3.94.3 in security.yml — already pinned to a SHA-equivalent tag, just needs a version check.)
Fix strategy
- Preferred: bump each action to the latest major that ships with Node 24. As of filing,
actions/checkout@v5, actions/setup-node@v5, actions/upload-artifact@v5, actions/download-artifact@v5 are all published with Node 24 support. Verify on the marketplace before bumping.
- Fallback (if a newer major isn't available or introduces breaking changes): set `env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true` at the workflow level to opt into Node 24 on the current `@v4` tag without a version bump. This is a reversible short-term bridge.
- Do not rely on `ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true` — per GitHub's deprecation notice that's a temporary post-forcing opt-out, not a long-term fix.
Acceptance criteria
Priority
Low/medium. Deadline is 2026-09-16 (~5 months out from today). No rush, but it's a one-afternoon PR and ideal to ship before the 2026-06-02 forcing date so we don't learn about breakage via a surprise red run.
Related
Summary
GitHub Actions is removing Node 20 from runners on 2026-09-16 and will force Node 24 as the default on 2026-06-02. Every run currently emits this annotation on
actions/checkout@v4,actions/setup-node@v4,actions/upload-artifact@v4,actions/download-artifact@v4, andpeaceiris/actions-gh-pages@v4:Observed on run 24216899512 (commit
0493999).Scope
22 action pins across 4 workflow files:
.github/workflows/ci.ymlactions/checkout@v4.github/workflows/ci.ymlactions/setup-node@v4.github/workflows/ci.ymlactions/upload-artifact@v4.github/workflows/ci.ymlactions/download-artifact@v4.github/workflows/ci.ymlpeaceiris/actions-gh-pages@v4.github/workflows/lighthouse.ymlactions/checkout@v4.github/workflows/lighthouse.ymlactions/setup-node@v4.github/workflows/lighthouse.ymlactions/upload-artifact@v4.github/workflows/release.ymlactions/checkout@v4.github/workflows/release.ymlactions/setup-node@v4.github/workflows/security.ymlactions/checkout@v4.github/workflows/security.ymlactions/setup-node@v4.github/workflows/security.ymlactions/upload-artifact@v4(Plus
trufflesecurity/trufflehog@v3.94.3insecurity.yml— already pinned to a SHA-equivalent tag, just needs a version check.)Fix strategy
actions/checkout@v5,actions/setup-node@v5,actions/upload-artifact@v5,actions/download-artifact@v5are all published with Node 24 support. Verify on the marketplace before bumping.Acceptance criteria
ci.yml,lighthouse.yml,release.yml,security.yml) pass on a push tomaindeploystill succeeds (peaceiris/actions-gh-pages@v4is the highest-risk pin — verify the gh-pages push works end-to-end)trufflehogscan still runs insecurity.yml(the pinned tag is independent of this deprecation but worth a sanity check)Priority
Low/medium. Deadline is 2026-09-16 (~5 months out from today). No rush, but it's a one-afternoon PR and ideal to ship before the 2026-06-02 forcing date so we don't learn about breakage via a surprise red run.
Related
docs/CICD_AUDIT_REPORT.md— post-overhaul forensic record of the pipeline (committed in240b143)